What Is Wireless Setup
Wireless Setup provides an easy way to set up wireless flows for 802.1X, Guest and BYOD services. It also provides workflows to configure and customize each portal for Guest and BYOD services, where appropriate. These workflows are much simpler than configuring the associated portal flow in Cisco ISE by providing the most common recommended settings. Wireless Setup does many steps for you that you would have to do yourself in Cisco ISE, and on the Wireless Controller, so you can quickly create a working environment.
You can use the Wireless Setup created environment to test and develop your flows. Once you get your Wireless Setup environment working, you may want to switch to Cisco ISE, so you can support advanced configurations. For more information about configuring Guest services in Cisco ISE, see the ISE Administrators Guide for your version of Cisco ISE, and the Cisco Community Site https://community.cisco.com/t5/security-documents/ise-guest-amp-web-authentication/ta-p/3657224 . For more information about configuring and using Wireless Setup for Cisco ISE, see https://community.cisco.com/t5/security-documents/cisco-ise-secure-access-wizard-saw-guest-byod-and-secure-access/ta-p/3636602.
Note |
Cisco ISE Wireless Setup is beta software - please do not use Wireless Setup in production networks. |
-
Wireless Setup is disabled by default after fresh installation of Cisco ISE. You can enable Wireless Setup from the Cisco ISE CLI with the application configure ise command (select option 17) or by using the Wireless Setup option () available in the top right-hand corner in the Cisco ISE GUI home page.
-
Wireless Setup does not work if you upgrade Cisco ISE from a previous version. Wireless Setup is supported only for new Cisco ISE installations.
-
Wireless Setup works only on a standalone node.
-
Run only one instance of Wireless Setup at a time. Only one person can run Wireless Setup at a time.
-
Wireless Setup requires ports 9103 and 9104 to be open. To close these ports, use the CLI to disable Wireless Setup.
-
If you would like to start a fresh installation of Wireless Setup after running some flows, you can use the CLI command application reset-config ise. This command resets the Cisco ISE configuration and clears the Cisco ISE database, but keeps the network definitions. So you can reset Cisco ISE and Wireless Setup, without having to reinstall Cisco ISE and running setup.
If you would like to start over with Wireless Setup, you can reset both Cisoc ISE and Wireless Setup's configuration with the following steps:
-
In the CLI, run application reset-config to reset all Cisco ISE configuration. If you were testing Wireless Setup on a fresh installation, this command removes the configurations done by Wireless Setup in Cisco ISE.
-
In the CLI, run application configure ise, and choose [18]Reset Config Wi-Fi Setup. This cleans the Wireless Setup configuration database.
-
On the Wireless Controller, remove the configurations added by Wireless Setup on the Wireless Controller. For information about what Wireless Setup configures on the Wireless Controller, see Changes on Cisco ISE and Wireless Controller by the Wireless Setup flow.
You can avoid these steps by taking a snapshot of the VM after you finish a fresh installation of Cisco ISE.
For more information about the CLI, see the Cisco Identity Services Engine CLI Reference Guide for your version of ISE.
-
-
You must be a Cisco ISE Super Admin user to use Wireless Setup.
-
Wireless Setup requires at least two CPU cores and 8 GB of memory.
-
Only Active Directory (AD) groups and users are supported. After you have created one or more flows in Wireless Setup, other types of users, groups, and authorizations are available for Wireless Setup, but they must be configured on ISE.
-
If you already defined Active Directory in Cisco ISE, and you plan to use this AD for Wireless Setup, then:
-
The join name and domain name must be the same. If the names are not the same, then make them the same in Cisoc ISE before using that AD in Wireless Setup.
-
If your Wireless Controller is already configured on Cisco ISE, the Wireless Controller must have a shared secret configured. If the Wireless Controller definition does not have the shared secret, then either add the shared secret, or delete the Wireless Controller from Cisco ISE, before configuring that Wireless Controller in Wireless Setup.
-
-
Wireless Setup can configure Cisco ISE components, but it can't delete or modify them after a flow has been started. For a list of all the things that Wireless Setup configures in Cisco ISE, see Cisco Identity Services Engine CLI Reference Guide for your version of Cisco ISE.
-
When you start a flow, you must complete the flow. Clicking a breadcrumb in the flow stops the flow. As you step through a flow, changes are made to the Cisco ISE configuration dynamically. Wireless Setup provides a list of configuration changes, so you can manually revert. You can't back up in a flow to make extra changes, with one exception. You can go back to change Guest or BYOD portal customization.
-
Multiple Wireless Controllers and Active Directory domains are supported, but each flow can only support one Wireless Controller and one Active Directory.
-
Wireless Setup requires a Cisco ISE Basic license to operate. BYOD requires a Cisco ISE Plus license.
-
If you have configured Cisco ISE resources before configuring Wireless Setup, Wireless Setup may have conflicts with an existing policy. If this happens, Wireless Setup advises you to review the authorization policy after running through the tool. We recommended that you start with a clean setup of Ciisco ISE when running Wireless Setup. Support for a mixed configuration of Wireless Setup and Cisco ISE is limited.
-
Wireless Setup is available in English, but not other languages. If you want to use other languages with your portal, configure that in Cisco ISE after running Wireless Setup.
-
Dual SSID is supported for BYOD. The Open SSID used in this configuration does not support guest access, due to conflicts. If you need a portal that supports both guest and BYOD, you cannot use Wireless Setup, and is out of the scope of this document.
-
Email and SMS Notifications
-
For self-registered guests, SMS and email notification is supported. These notifications are configured in the portal customization notification section. You must configure an SMTP server to support SMS and email notifications. The cellular providers built in Cisco ISE, which include AT&T, T Mobile, Sprint, Orange and Verizon, are pre-configured, and are free to email to the SMS gateways.
-
A guest chooses their cell provider in the portal. If their provider is not in the list, then they can't receive a message. You can also configure a global provider, but that is outside of the scope of this guide. If the guest portal is configured for SMS and email notification, then they must enter values for both those services.
-
The Sponsored guest flow does not provide configuration for SMS or email notification in Wireless Setup. For that flow, you must configure notification services in Cisco ISE.
-
Do not select the SMS provider Global Default when configuring notifications for a portal. This provider is not configured (by default).
-
-
Wireless setup only supports a standalone setup without HA. If you decide to use extra PSNs for authentication, then add the Cisco ISE IP address of those PSNs to your Wireless Controller’s RADIUS configuration.
Wireless Setup Support for Apple Mini-Browser (Captive Network Assistant)
-
Guest Flows: Auto popup of the Apple pseudo browser works with all Guest Flows. A guest may go through the flow using Apple's Captive Network Assistant browser. When an Apple user connects to the OPEN network, the minibrowser pops-up automatically, which allows them to accept an AUP (hotspot), or to go through self-registration or login with their credentials.
-
BYOD
-
Single SSID: Cisco ISE Release 2.2 added support for the Apple minibrowser. However, to limit potential problems with the SSID flows on Apple devices, we suppressed the minibrowser by adding captive.apple.com to the redirection ACL. This causes the Apple device to think it has access to the Internet. The user must manually launch the Safari browser to be redirected to the portal for web authentication or device onboarding.
-
Dual SSID: For Dual SSID flow that starts with an initial OPEN network WLAN to start guest access, or to allow your employees to go through Device Onboarding (BYOD), and redirects to a secured SSID, the minibrowser is also suppressed.
-
For more information about the Apple CAN minibrowser, see https://communities.cisco.com/docs/DOC-71122.